PyLocky Ransomware Decryption Tool Released — Unlock Files For Free

If your computer has been infected with PyLocky Ransomware and you are searching for a free ransomware decryption tool to unlock or decrypt your files—your search might end here.

Security researchers at Cisco's Talos cyber intelligence unit have released a free decryption tool that makes it possible for victims infected with the PyLocky ransomware to unlock their encrypted files for free without paying any ransom.

The decryption tool works for everyone, but it has a huge limitation—to successfully recover your files, you must have captured the initial network traffic (PCAP file) between the PyLocky ransomware and its command-and-control (C2) server, which generally nobody purposely does.

This is because the outbound connection—when the ransomware communicates with its C2 server and submit decryption key related information—contains a string that includes both Initialization Vector (IV) and a password, which the ransomware generates randomly to encrypt the files.

"If the initial C2 traffic has not been captured, our decryption tool will not be able to recover files on an infected machine. This is because the initial callout is used by the malware to send the C2 servers information that it uses in the encryption process," the researchers explain.

First spotted by researchers at Trend Micro in July last year, PyLocky ransomware found spreading through spam emails, like most malware campaigns, designed to trick victims into running the malicious PyLocky payload.

To avoid detection by sandbox security software, the PyLocky ransomware sleeps for 999.999 seconds—or just over 11 and a half days—if the affected system's total visible memory size is less than 4GB. The file encryption process only executes if it is greater than or equal to 4GB.

Written in python and packaged with PyInstaller, PyLocky ransomware first converts each file into the base64 format and then uses randomly generated Initialization Vector (IV) and password to encrypt all the files on an infected computer.

Once a computer is encrypted, PyLocky displays a ransom note claiming to be a variant of the well-known Locky ransomware and demands a ransom in cryptocurrency to "restore" the files.

The note also claims to double the ransom every 96 hours if they don't pay to scare victims into paying up the ransom sooner rather than later.

PyLocky primarily targeted businesses in Europe, particularly in France, though the ransom notes were written in English, French, Korean, and Italian, which suggested that it may also have targeted Korean- and Italian-speaking users.